Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2514
Views
5
Helpful
19
Replies

Multiple Public IP and No Joy

Go to solution
Atl_Gator
Level 1
Level 1

‎09-11-2011 10:33 PM - edited ‎03-11-2019 02:23 PM

I definitely appreciate the prior help.  Attached is my updated ASA 5505 (8.4[2]) config.

With this config, basically the "laptop" group works fine, but the leo and orion groups don't

ever receive packets inbound.  No DNS, nothing.

The laptop is windows, the other two are servers with two NICs.  The interface cards are

Intel Pro/1000s.   I've been through everything including Vlan protocol conflicts and

actually enaled the servers for 802.1(Q).

Anyway - I'm stumped ...

Anyone see anything obvious here?  Or can recommend a different piece of gear that

can actually work in this scenario?

Labels:
113475-nowork.txt.zip
0 Helpful
19 Replies 19

Go to solution
Atl_Gator
Level 1
Level 1
In response to Atl_Gator

‎09-13-2011 12:58 AM

The interface settings don't allow a subnet of 255.255.255.255.

Additionally (curiously) if I change the host objects to "Network" and then specify the IP and subnet mask, it just

converts them to a a Host object so it means the same thing despite the object type difference.

I can see how this issue of one IP with a subnet mask blocking another NAT rule could happen but I'm still not sure how to tell it to handle the NAT rules in an isolated manner.

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Atl_Gator

‎09-13-2011 01:01 AM

Hi,

There are two different things here:

The interface settings would take the whole subnet mask, which would be 255.255.255.0

Second, if you are creating a object network and specifying a single host, then mask would be 255.255.255.255

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Atl_Gator
Level 1
Level 1
In response to varrao

‎09-13-2011 01:16 AM

Yep ... however, when you specify that mask for a network object it just converts it to a host object (as was originally created).  I.e., if you create a network object and then edit it, it just drops the 255.255.255.255 and says it is a host object, as would be obvious.

So - still no joy.    I am trying the arp-mac alias thing now that others have talked about online, got the MAC aliases in to point to the outside inbound interface for the NAT-ed public IPs and .... nope. LOL

0 Helpful

Go to solution
Atl_Gator
Level 1
Level 1
In response to Atl_Gator

‎09-13-2011 01:25 AM

Okay - actually, I got it working for the test config and have successfully nat-ted multiple IPs to different hosts with the switch, but, it's not the servers as yet.  The "show xlate" was useful.  There had been a typo.

I'm still not sure this will work in production because the servers were just acting weird, but seeing it work in test is a huge boost.

Thanks Varun!

Did further testing and added all the old nats and swapped them around and the two in the lab are still working ... okay, production test tomorrow night (fingers crossed).

0 Helpful

Go to solution
Atl_Gator
Level 1
Level 1
In response to Atl_Gator

‎09-14-2011 12:22 AM

After a hellish week, finally isolated the issue.   We couldn't allow  for any downtime in swapping the ASA in and out so the 4 hour timeout  on the ARP caches was never reached.

The ISP router ARP caches simply were ignoring our  gear.  The fix was to get the MAC from the old router and enter it in  the new one as a clone and as soon as we did that, everything went live  and pretty.

It is a great device.  The upside is this hellish experience probably turned me into a baby-CCIE.

Thank you everyone for all the help.

If anyone has this issue again, just wait 4 hours or get the old router WAN MAC address and use the interfaces tab to clone it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card